Enabling the Spammers

Spammers are having a field day with a string of recently discovered security vulnerabilities in MailEnable, an e-mail server program offered by many large, dedicated Web hosting companies.

Over the past few months, MailEnable has released updates at least a half dozen times to fix quite serious vulnerabilities in its various products that attackers can use to completely hijack vulnerable systems. Unfortunately, it looks like many customers either are not registered (and thus not receiving e-mail notices from MailEnable about the flaws), or they are simply ignoring the alerts.

"We are seeing hundreds of mail servers getting compromised via the rash of MailEnable vulnerabilities that have been discovered and announced in the last few months," said Lawrence Baldwin, chief forensics officer for myNetWatchman.

Baldwin's company often is contacted by people who were referred by an Internet service provider that has blocked the customer from sending e-mail due to evidence that his or her system has been compromised and is being used to blast out spam. myNetWatchman also gives away a program that will monitor your firewall logs for odd activity and alert you if your system shows signs of compromise.

Exploit code showing would-be spammers exactly how to exploit the MailEnable flaws has been posted to several high-profile exploit sites (ironically, one exploit is named "maildisable.pl"), and attackers have been using them with great success, Baldwin said. "We could actually see that the miscreants became aware of a new vulnerability in early to mid January, had a full month of ravaging and pillaging MailEnable systems" before a patch was released.

myNetWatchman has had nearly four dozen referrals from MailEnable users who scanned their systems and found infections. That's a significant share of its traffic: The company generally receives between 100 and 200 distinct submissions each day.

Baldwin said that in addition to using hijacked systems to send spam (this guy apparently had someone sending Western Union scam mails through his MailEnable server last week), the bad guys are dropping code that steals passwords on the infected system. It also spies on the Microsoft Windows remote desktop protocol (RDP) traffic to steal passwords from users who log on remotely to administer their mail servers.

But wait, it gets better. The attackers also appear to be planting tools that enable them to crack encrypted Windows system passwords. Why would hackers in this day and age go through all the trouble of doing that when they already have total control over an infected machine? According to Baldwin, many Web hosting providers using MailEnable are placing large numbers of systems on the same Windows Active Directory domain and using the same password to remotely configure the machines. Ergo, crack the password of a Web hosting provider using this set-up, and you suddenly control all of the hosting company's mail servers.

Ron Bradburn, director of engineering for Vancouver, Canada-based Peer 1 Dedicated Hosting, said his company bundles MailEnable for its dedicated hosting customers and that Peer 1 began receiving a spike in support calls related to compromised MailEnable systems in mid-February. "That's when the hackers started actively exploiting that and potentially setting up large bot networks."

Bot networks, also known as botnets, are large groupings of compromised PCs that cyber criminals use for everything from spamming to attacking others online to hosting scam Web sites. After a brief lull in botnet activity over the December holiday season, the number of new, compromised machines has skyrocketed recently. According to Shadowserver.org, a volunteer, nonprofit group that tracks botnets, the number of compromised machines has tripled in the past two weeks.

Bradburn declined to discuss his company's network setup or say how many of his customers were compromised by this vulnerability. "I can tell you that it's been a big problem for us. MailEnable is a very widely used e-mail client because it's free, but a lot of people don't monitor the third party software installed on their Web hosting machines."

Unfortunately, organizations whose servers have been compromised will remain compromised even after applying the MailEnable updates. The more popular exploit for these vulnerabilities works by injecting itself into the Windows logon process, which can be quite a tricky thing to fix.

"I think the hackers' intentions have been to collect as many login accounts or authentication mechanisms to the compromised machines as they can, so that even after the infection is cleaned up, they can still get back in," he said.

Bradburn said Peer 1offers back-up services that can help customers recover from such intrusions, but that many customers do not choose that option. For those folks, he said, the only safe route is to reinstall the operating system on the Web host.

It's an even trickier thing for the anti-virus companies to even detect: This attack uses four different components, few of which were detected by any of the more than two-dozen anti-virus scanning engines over at VirusTotal. That's scary, when you consider that this malware has been in the wild for more than two months now. The result of each scan are available at thesefourlinkshere (if you're having trouble viewing the results, make sure you've enabled Javascript for Virustotal.com).